We see lots of confusion out there surrounding what exactly constitutes PHI and electronic PHI (ePHI). Let’s take a look.
According to the Code of Federal Regulations 160.103:
Protected health information means individually identifiable health information
The truth is, there isn’t a short and sweet definition, especially when you consider the root of why many seek this definition — a goal of de-identification (45 CFR 164.514.b).
It’s nuanced. The inclusion of terms and phrases such as…
A person with appropriate knowledge… … determines that the risk is very small that the information could be used
other reasonably available
…all but guarantees that this will be largely left to interpretation and legal precedent. Discouraged yet?
Here’s some advice (friendly, not legal). Error on the side of caution. Treat all electronic patient data containing the following identifiers as ePHI:
- Geographic subdivisions smaller than a State
- Dates directly related to an individual (birth date, admission date, discharge date, etc)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- License plate numbers and other vehicle identifiers
- Device identifiers and serial numbers
- Uniquely identifying web addresses
- IP addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any of the above that identifies relatives, employers, or household members of the patient
Above all, the stakes are generally high when it comes to PHI / ePHI; consult legal counsel as appropriate.